| Index: crypto/ec_private_key.cc
|
| diff --git a/crypto/ec_private_key.cc b/crypto/ec_private_key.cc
|
| index 08fd75dec3c95f74bb381c082e8000dc7f02fa28..75b86c0c0577e6b852ddd564110936ddcb453b0d 100644
|
| --- a/crypto/ec_private_key.cc
|
| +++ b/crypto/ec_private_key.cc
|
| @@ -11,52 +11,16 @@
|
|
|
| #include "base/logging.h"
|
| #include "crypto/openssl_util.h"
|
| -#include "third_party/boringssl/src/include/openssl/bio.h"
|
| #include "third_party/boringssl/src/include/openssl/bn.h"
|
| #include "third_party/boringssl/src/include/openssl/bytestring.h"
|
| #include "third_party/boringssl/src/include/openssl/ec.h"
|
| #include "third_party/boringssl/src/include/openssl/ec_key.h"
|
| #include "third_party/boringssl/src/include/openssl/evp.h"
|
| #include "third_party/boringssl/src/include/openssl/mem.h"
|
| -#include "third_party/boringssl/src/include/openssl/pkcs12.h"
|
| -#include "third_party/boringssl/src/include/openssl/x509.h"
|
| +#include "third_party/boringssl/src/include/openssl/pkcs8.h"
|
|
|
| namespace crypto {
|
|
|
| -namespace {
|
| -
|
| -// Function pointer definition, for injecting the required key export function
|
| -// into ExportKeyWithBio, below. |bio| is a temporary memory BIO object, and
|
| -// |key| is a handle to the input key object. Return 1 on success, 0 otherwise.
|
| -// NOTE: Used with OpenSSL functions, which do not comply with the Chromium
|
| -// style guide, hence the unusual parameter placement / types.
|
| -typedef int (*ExportBioFunction)(BIO* bio, const void* key);
|
| -
|
| -// Helper to export |key| into |output| via the specified ExportBioFunction.
|
| -bool ExportKeyWithBio(const void* key,
|
| - ExportBioFunction export_fn,
|
| - std::vector<uint8_t>* output) {
|
| - if (!key)
|
| - return false;
|
| -
|
| - bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
|
| - if (!bio)
|
| - return false;
|
| -
|
| - if (!export_fn(bio.get(), key))
|
| - return false;
|
| -
|
| - const uint8_t* data;
|
| - size_t len;
|
| - if (!BIO_mem_contents(bio.get(), &data, &len))
|
| - return false;
|
| -
|
| - output->assign(data, data + len);
|
| - return true;
|
| -}
|
| -
|
| -} // namespace
|
| -
|
| ECPrivateKey::~ECPrivateKey() {}
|
|
|
| // static
|
| @@ -97,40 +61,32 @@ std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromPrivateKeyInfo(
|
| std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
|
| const std::vector<uint8_t>& encrypted_private_key_info,
|
| const std::vector<uint8_t>& subject_public_key_info) {
|
| - // NOTE: The |subject_public_key_info| can be ignored here, it is only
|
| - // useful for the NSS implementation (which uses the public key's SHA1
|
| - // as a lookup key when storing the private one in its store).
|
| - if (encrypted_private_key_info.empty())
|
| - return nullptr;
|
| -
|
| + // TODO(davidben): The |subject_public_key_info| parameter is a remnant of
|
| + // the NSS implementation. Remove it.
|
| OpenSSLErrStackTracer err_tracer(FROM_HERE);
|
|
|
| - const uint8_t* data = &encrypted_private_key_info[0];
|
| - const uint8_t* ptr = data;
|
| - bssl::UniquePtr<X509_SIG> p8_encrypted(
|
| - d2i_X509_SIG(nullptr, &ptr, encrypted_private_key_info.size()));
|
| - if (!p8_encrypted || ptr != data + encrypted_private_key_info.size())
|
| - return nullptr;
|
| + CBS cbs;
|
| + CBS_init(&cbs, encrypted_private_key_info.data(),
|
| + encrypted_private_key_info.size());
|
| + bssl::UniquePtr<EVP_PKEY> pkey(
|
| + PKCS8_parse_encrypted_private_key(&cbs, "", 0));
|
|
|
| // Hack for reading keys generated by an older version of the OpenSSL code.
|
| // Some implementations encode the empty password as "\0\0" (passwords are
|
| // normally encoded in big-endian UCS-2 with a NUL terminator) and some
|
| - // encode as the empty string. PKCS8_decrypt distinguishes the two by whether
|
| - // the password is nullptr.
|
| - bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> p8_decrypted(
|
| - PKCS8_decrypt(p8_encrypted.get(), "", 0));
|
| - if (!p8_decrypted)
|
| - p8_decrypted.reset(PKCS8_decrypt(p8_encrypted.get(), nullptr, 0));
|
| -
|
| - if (!p8_decrypted)
|
| - return nullptr;
|
| + // encode as the empty string. PKCS8_parse_encrypted_private_key
|
| + // distinguishes the two by whether the password is nullptr.
|
| + if (!pkey) {
|
| + CBS_init(&cbs, encrypted_private_key_info.data(),
|
| + encrypted_private_key_info.size());
|
| + pkey.reset(PKCS8_parse_encrypted_private_key(&cbs, nullptr, 0));
|
| + }
|
|
|
| - // Create a new EVP_PKEY for it.
|
| - std::unique_ptr<ECPrivateKey> result(new ECPrivateKey());
|
| - result->key_.reset(EVP_PKCS82PKEY(p8_decrypted.get()));
|
| - if (!result->key_ || EVP_PKEY_id(result->key_.get()) != EVP_PKEY_EC)
|
| + if (!pkey || CBS_len(&cbs) != 0 || EVP_PKEY_id(pkey.get()) != EVP_PKEY_EC)
|
| return nullptr;
|
|
|
| + std::unique_ptr<ECPrivateKey> result(new ECPrivateKey());
|
| + result->key_ = std::move(pkey);
|
| return result;
|
| }
|
|
|
| @@ -161,25 +117,26 @@ bool ECPrivateKey::ExportPrivateKey(std::vector<uint8_t>* output) const {
|
| bool ECPrivateKey::ExportEncryptedPrivateKey(
|
| std::vector<uint8_t>* output) const {
|
| OpenSSLErrStackTracer err_tracer(FROM_HERE);
|
| - // Convert into a PKCS#8 object.
|
| - bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> pkcs8(EVP_PKEY2PKCS8(key_.get()));
|
| - if (!pkcs8)
|
| - return false;
|
|
|
| // Encrypt the object.
|
| // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
|
| // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL
|
| // equivalent.
|
| - bssl::UniquePtr<X509_SIG> encrypted(
|
| - PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, nullptr, 0,
|
| - nullptr, 0, 1, pkcs8.get()));
|
| - if (!encrypted)
|
| + uint8_t* der;
|
| + size_t der_len;
|
| + bssl::ScopedCBB cbb;
|
| + if (!CBB_init(cbb.get(), 0) ||
|
| + !PKCS8_marshal_encrypted_private_key(
|
| + cbb.get(), NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
|
| + nullptr /* cipher */, nullptr /* no password */, 0 /* pass_len */,
|
| + nullptr /* salt */, 0 /* salt_len */, 1 /* iterations */,
|
| + key_.get()) ||
|
| + !CBB_finish(cbb.get(), &der, &der_len)) {
|
| return false;
|
| -
|
| - // Write it into |*output|
|
| - return ExportKeyWithBio(encrypted.get(),
|
| - reinterpret_cast<ExportBioFunction>(i2d_PKCS8_bio),
|
| - output);
|
| + }
|
| + output->assign(der, der + der_len);
|
| + OPENSSL_free(der);
|
| + return true;
|
| }
|
|
|
| bool ECPrivateKey::ExportPublicKey(std::vector<uint8_t>* output) const {
|
|
|
Chromium Code Reviews
Issue 2781993006:
Use new APIs for parsing encrypted ECPrivateKeys. (Closed)
